OSSL_STORE and PKCS#12: Check if there is a MAC to verify before prom…

…pting When a DER object with unknown contents comes all the way to ossl_store_handle_load_result(), and it attempts to decode them as different objects, the PKCS#12 decoding attempt would (almost) always prompt for a passphrase, even if there isn't a MAC to verify it against in the PKCS#12 object. This change checks if there is a MAC to verify against before attempting to prompt for a passphrase, leading to less surprising behavior. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from #21197) (cherry picked from commit 7a52061)
openssl · Jun 25, 2023 · b7a29bc · b7a29bc
1 parent 24479b2
commit b7a29bc
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
@@ -553,8 +553,10 @@ static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
 
             ok = 0;              /* Assume decryption or parse error */
 
-            if (PKCS12_verify_mac(p12, "", 0)
+            if (!PKCS12_mac_present(p12)
                 || PKCS12_verify_mac(p12, NULL, 0)) {
+                pass = NULL;
+            } else if (PKCS12_verify_mac(p12, "", 0)) {
                 pass = "";
             } else {
                 static char prompt_info[] = "PKCS12 import pass phrase";